Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method receives a set of connections between a set of DCNs in the datacenter over a particular time period. The set of DCNs includes at least a first DCN at which a first anomalous event was detected. The method analyzes a set of detected anomalous events to identify additional anomalous events detected at other DCNs in the set of DCNs during the particular time period. Based on the first anomalous event and identified additional anomalous events, the method determines whether the anomalous events indicate a threat to the datacenter.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives attribute sets for multiple flows. Each respective attribute set for a respective flow includes at least (i) a source identifier for the respective flow and (ii) an indicator as to whether the respective flow is indicative of the source of the respective flow being a security threat. For each of multiple source identifiers, the method aggregates the received attribute sets to generate an aggregate attribute set for the source identifier that includes a combined measurement of security threat indicators. For a particular source identifier, the method adjusts a security threat likelihood score for the source corresponding to the particular source identifier based on the combined measurement of security threat indicators for the source identifier.

Abstract: Some embodiments provide a novel method for monitoring health of LFEs of a logical network. For an LFE implemented by multiple PFEs, a health analytics manager identifies a set of one or more metrics associated with each PFE implementing the LFE. The health analytics manager uses the set of metrics to compute a health score for the LFE. Then, the health analytics manager provides the health score in a report to provide an indication regarding the monitored health of the LFE. The set of metrics used to compute the health score for the LFE includes, in some embodiments, at least one metric for each PFE implementing the LFE.

Abstract: Some embodiments provide a novel method of assessing health of a software managed network (SMN) that includes multiple forwarding elements that exchange data messages with each other. A health analytics manager collects performance metrics from control-plane components of the SMN that configure the forwarding elements of the SMN to forward data messages. The health analytics manager also collects performance metrics from data-plane components including the forwarding elements of the SMN. Then, the health analytics manager generates one health score from the collected performance metrics of the control-plane and data-plane components to express an overall health of the SMN.

Abstract: Some embodiments provide a novel method for monitoring health of logical networks. For a logical network including multiple LFEs, a health analytics manager identifies a set of one or more metrics associated with each LFE in the logical network. The health analytics manager uses the set of metrics to compute a health score for the logical network. Then, the health analytics manager provides the health score in a report to provide an indication regarding the monitored health of the logical network. In some embodiments, at least one LFE is implemented by multiple PFEs, and the set of metrics includes metrics associated with each of the PFEs implementing the at least one LFE.

Abstract: The disclosure herein describes managing the execution of ML pipelines based at least in part on a dependency graph using a feature service. A plurality of feature creator processes are scheduled for execution using a set of feature creation resources. The scheduling is based at least in part on a dependency graph which describes dependency relationships between the plurality of feature creator processes and raw data sets stored in a raw data cache. The scheduled feature creator processes are then executed, wherein feature sets are created from the executed feature creator processes. The features sets are stored in a feature cache and the stored feature sets are exposed to a feature consumer using a feature interface. The use of the dependency graph and the raw data and feature caches enables the disclosure to reduce duplicated effort and resource usage across multiple pipelines that are executed on the system.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method generates a graph of connections between data compute nodes (DCNs) in the datacenter. Each connection has an associated time period during which the connection is active. The method receives an anomalous event occurring during a particular time period at a particular DCN operating in the datacenter. The method analyzes the generated graph to determine a set of paths between DCNs in the datacenter that include connections to the particular DCN during the particular time period. The method uses the set of paths to identify a threat to the datacenter.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives data indicating port usage for a particular time period for each of multiple destination data compute nodes (DCNs) executing on the host computers. For each DCN of a set of the destination DCNs, identifies whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN. When the port usage for a particular DCN deviates from the historical baseline for the particular DCN, the method identifies the particular DCN as a target of a security threat.

Abstract: Some embodiments provide a novel method for monitoring health of an SMN that includes multiple networking components. A health analytics manager identifies a set of one or more metrics associated with the network components of the SMN. The health analytics manager uses the set of metrics to compute a first health score for the SMN. Then, the health analytics manager presents the first health score in a UI along with (1) data regarding how the first health score was computed, and (2) a set of one or more parameters for a user to modify how the health for the SMN is computed. After receiving from the user one or more modifications to at least one of the parameters, the health analytics manager computes a second health score for the SMN based on the modified set of parameters.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

Abstract: Some embodiments provide a system for detecting threats to a datacenter. The system includes a set of processing units and a set of non-transitory machine-readable media storing an analysis appliance. The analysis appliance includes multiple event detectors that analyze information received from host computers in the datacenter to identify anomalous events occurring in the datacenter. The analysis appliance includes a graph generation module that generates a graph of connections between data compute nodes (DCNs) in the datacenter based on the information received from the host computers. The analysis appliance includes a lateral movement threat detection module that (i) uses the graph of connections to identify a set of connections between a set of the DCNs based on a particular anomalous event and (ii) uses the set of connections and the identified anomalous events to determine whether the set of connections is indicative of a lateral movement attack on the datacenter.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method receives a set of connections between a set of DCNs in the datacenter over a particular time period. The set of DCNs includes at least a first DCN at which a first anomalous event was detected. The method analyzes a set of detected anomalous events to identify additional anomalous events detected at other DCNs in the set of DCNs during the particular time period. Based on the first anomalous event and identified additional anomalous events, the method determines whether the anomalous events indicate a threat to the datacenter.

Abstract: Some embodiments provide a method for detecting a threat to a datacenter. The method generates a graph of connections between data compute nodes (DCNs) in the datacenter. Each connection has an associated time period during which the connection is active. The method receives an anomalous event occurring during a particular time period at a particular DCN operating in the datacenter. The method analyzes the generated graph to determine a set of paths between DCNs in the datacenter that include connections to the particular DCN during the particular time period. The method uses the set of paths to identify a threat to the datacenter.

Abstract: Some embodiments provide a method for identifying policy misconfiguration in a datacenter. Based on flow data received for a plurality of data compute nodes (DCNs) in the datacenter, the method determines that an anomalous amount of data traffic relating to a particular DCN has been dropped. The method uses (i) the received flow data for the particular DCN and (ii) a set of recent policy configuration changes to determine policy configuration changes that contributed to the anomalous amount of dropped data traffic relating to the particular DCN. The method generates an alert for presentation to a user indicating the anomalous amount of data traffic and the contributing policy configuration changes.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives data indicating port usage for a particular time period for each of multiple destination data compute nodes (DCNs) executing on the host computers. For each DCN of a set of the destination DCNs, identifies whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN. When the port usage for a particular DCN deviates from the historical baseline for the particular DCN, the method identifies the particular DCN as a target of a security threat.

Abstract: Some embodiments provide a method for identifying security threats to a datacenter. From multiple host computers in the datacenter, the method receives attribute sets for multiple flows. Each respective attribute set for a respective flow includes at least (i) a source identifier for the respective flow and (ii) an indicator as to whether the respective flow is indicative of the source of the respective flow being a security threat. For each of multiple source identifiers, the method aggregates the received attribute sets to generate an aggregate attribute set for the source identifier that includes a combined measurement of security threat indicators. For a particular source identifier, the method adjusts a security threat likelihood score for the source corresponding to the particular source identifier based on the combined measurement of security threat indicators for the source identifier.

Abstract: In a computer-implemented method for upgrading a fault tolerant hyper-converged infrastructure in an environment with no additional physical infrastructure, a workload domain having a plurality of hosts is chosen for an upgrade. One or more conflict groups are calculated for each host, and a physical host in the workload domain is selected. A number and a size of one or more nested hosts is determined and a different nested host is created in a management cluster for each of the one more conflict groups in the physical host. A communication network provides communication between a virtual machine (VM) on the different nested host and a VM in the physical host. The physical host is put into a maintenance mode, upgraded, and then returned from the maintenance mode to an operational mode.

Abstract: In a computer-implemented method for using a nested host manager in a hyper converged infrastructure to streamline the upgrade process for one or more hosts in a workload domain, a first workload domain having one or more hosts is chosen, and at least one host of the one or more hosts is designated for an upgrade. The resource allotment of the at least one host is evaluated and a nested host having a comparable resource allotment is selected and provided in a second workload domain. Communication is redirected from the at least one host to the nested host. The at least one host is placed in a maintenance mode, updated, and returned to an operational mode.

Abstract: Systems and methods herein can provide virtual resource management for hyper-converged infrastructures. In an example, a method can include identifying an overloaded cluster requesting at least one resource, the overloaded cluster including a hypervisor on a virtual machine. The method can further include identifying an additional cluster having a free resource corresponding to the requested resource. The method can include instantiating a nested host on the additional cluster, the nested host being configured to provide the free resource and the nested hosted comprising an additional hypervisor that manages an additional virtual machine. Further, the method can include registering the nested host with the overloaded cluster such that the overloaded cluster is authorized to use the free resource.